[Git][security-tracker-team/security-tracker][master] Marked quite a few golang issues as no-dsa for buster. Either with motivation...
Ola Lundqvist (@opal)
opal at debian.org
Tue Sep 6 21:28:26 BST 2022
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d678175c by Ola Lundqvist at 2022-09-06T22:28:10+02:00
Marked quite a few golang issues as no-dsa for buster. Either with motivation minor issue or limited support depending on the severity of the CVE.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -20559,6 +20559,7 @@ CVE-2022-32189 (A too-short encoded message can cause a panic in Float.GobDecode
- golang-1.17 1.17.13-1
- golang-1.15 <removed>
- golang-1.11 <removed>
+ [buster] - golang-1.11 <no-dsa> (Limited support)
NOTE: https://go.dev/issue/53871
NOTE: https://groups.google.com/g/golang-nuts/c/DCFSyTGM0wU
NOTE: https://github.com/golang/go/commit/055113ef364337607e3e72ed7d48df67fde6fc66 (master, go1.19)
@@ -20692,6 +20693,7 @@ CVE-2022-1962 (Uncontrolled recursion in the Parse functions in go/parser before
- golang-1.17 1.17.13-1
- golang-1.15 <removed>
- golang-1.11 <removed>
+ [buster] - golang-1.11 <no-dsa> (Limited support)
NOTE: https://go.dev/issue/53616
NOTE: https://github.com/golang/go/commit/695be961d57508da5a82217f7415200a11845879 (go1.19rc2)
NOTE: https://github.com/golang/go/commit/0d1615b23f9a558aa0a1957b4c81596220eb8ec4 (go1.18.4)
@@ -25061,6 +25063,7 @@ CVE-2022-30630 (Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go
- golang-1.17 1.17.13-1
- golang-1.15 <removed>
- golang-1.11 <removed>
+ [buster] - golang-1.11 <no-dsa> (Limited support)
NOTE: https://go.dev/issue/53415
NOTE: https://github.com/golang/go/commit/fa2d41d0ca736f3ad6b200b2a4e134364e9acc59 (go1.19rc2)
NOTE: https://github.com/golang/go/commit/315e80d293b684ac2902819e58f618f1b5a14d49 (go1.18.4)
@@ -25116,6 +25119,7 @@ CVE-2022-1705 (Acceptance of some invalid Transfer-Encoding headers in the HTTP/
- golang-1.17 1.17.13-1
- golang-1.15 <removed>
- golang-1.11 <removed>
+ [buster] - golang-1.11 <no-dsa> (Limited support)
NOTE: https://go.dev/issue/53188
NOTE: https://github.com/golang/go/commit/e5017a93fcde94f09836200bca55324af037ee5f (go1.19rc1)
NOTE: https://github.com/golang/go/commit/222ee24a0046ae61679f4d97967e3b4058a3b90e (go1.18.4)
@@ -26050,18 +26054,21 @@ CVE-2022-30324 (HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 w
CVE-2022-30323 (go-getter up to 1.5.11 and 2.0.2 panicked when processing password-pro ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ [buster] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
NOTE: https://github.com/hashicorp/go-getter/pull/359
NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0)
CVE-2022-30322 (go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustio ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ [buster] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
NOTE: https://github.com/hashicorp/go-getter/pull/359
NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0)
CVE-2022-30321 (go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go- ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ [buster] - golang-github-hashicorp-go-getter <no-dsa> (Limited support)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
NOTE: https://github.com/hashicorp/go-getter/pull/359
NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0)
@@ -32625,6 +32632,7 @@ CVE-2022-28131 (In Decoder.Skip in encoding/xml in Go before 1.17.12 and 1.18.x
- golang-1.18 1.18.4-1
- golang-1.15 <removed>
- golang-1.11 <removed>
+ [buster] - golang-1.11 <no-dsa> (Limited support)
CVE-2022-28130
RESERVED
CVE-2022-28129 (Improper Input Validation vulnerability in HTTP/1.1 header parsing of ...)
@@ -35312,6 +35320,7 @@ CVE-2022-27192 (The Reporting module in Aseco Lietuva document management system
NOT-FOR-US: Aseco
CVE-2022-27191 (The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1 ...)
- golang-go.crypto 1:0.0~git20220315.3147a52-1
+ [buster] - golang-go.crypto <no-dsa> (Limited support)
NOTE: https://groups.google.com/g/golang-announce/c/-cp44ypCT5s/m/wmegxkLiAQAJ
NOTE: https://github.com/golang/crypto/commit/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d
CVE-2022-27190
@@ -36056,6 +36065,7 @@ CVE-2022-26946
CVE-2022-26945 (go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless r ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ [buster] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
NOTE: https://github.com/hashicorp/go-getter/pull/359
NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0)
@@ -56459,6 +56469,7 @@ CVE-2021-44716 (net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows un
- golang-golang-x-net 1:0.0+git20211209.491a49a+dfsg-1
[bullseye] - golang-golang-x-net <no-dsa> (Minor issue)
- golang-golang-x-net-dev <removed>
+ [buster] - golang-golang-x-net-dev <no-dsa> (Minor issue)
[stretch] - golang-golang-x-net-dev <postponed> (Limited support in stretch)
NOTE: https://github.com/golang/go/issues/50058
NOTE: https://groups.google.com/g/golang-announce/c/hcmEScgc00k/m/ZWnOjeY4CQAJ
@@ -61165,6 +61176,7 @@ CVE-2021-43566 (All versions of Samba prior to 4.13.16 are vulnerable to a malic
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13979
CVE-2021-43565 (The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of g ...)
- golang-go.crypto 1:0.0~git20211202.5770296-1
+ [buster] - golang-go.crypto <no-dsa> (Limited support)
[stretch] - golang-go.crypto <postponed> (Limited support in stretch)
NOTE: https://github.com/golang/crypto/commit/5770296d904e90f15f38f77dfc2e43fdf5efc083
NOTE: https://github.com/golang/go/issues/49932
@@ -76183,6 +76195,7 @@ CVE-2021-38561
RESERVED
- golang-golang-x-text 0.3.7-1
- golang-x-text <removed>
+ [buster] - golang-x-text <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2100495
CVE-2021-38560 (Ivanti Service Manager 2021.1 allows reflected XSS via the appName par ...)
NOT-FOR-US: Ivanti
@@ -89528,6 +89541,7 @@ CVE-2021-33195 (Go before 1.15.13 and 1.16.x before 1.16.5 has functions for DNS
CVE-2021-33194 (golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows atta ...)
- golang-golang-x-net 1:0.0+git20210119.5f4716e+dfsg-4
- golang-golang-x-net-dev <removed>
+ [buster] - golang-golang-x-net-dev <no-dsa> (Limited support)
[stretch] - golang-golang-x-net-dev <no-dsa> (Limited support in stretch)
NOTE: https://groups.google.com/g/golang-dev/c/28x0nthP-c8/m/KqWVTjsnBAAJ
NOTE: https://github.com/golang/go/issues/46288
@@ -93998,6 +94012,7 @@ CVE-2021-31525 (net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows re
[stretch] - golang-1.7 <postponed> (Minor issue, DoS, requires rebuilding reverse-dependencies)
- golang-golang-x-net 1:0.0+git20210119.5f4716e+dfsg-3
- golang-golang-x-net-dev <removed>
+ [buster] - golang-golang-x-net-dev <no-dsa> (Limited support)
[stretch] - golang-golang-x-net-dev <no-dsa> (Limited support in stretch)
NOTE: https://github.com/golang/go/issues/45710
NOTE: https://github.com/golang/go/issues/45711 (1.15 backport)
@@ -113313,6 +113328,7 @@ CVE-2021-25900 (An issue was discovered in the smallvec crate before 0.6.14 and
NOTE: https://github.com/servo/rust-smallvec/issues/252
CVE-2021-3127 (NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorre ...)
- golang-github-nats-io-jwt 2.2.0-1
+ [buster] - golang-github-nats-io-jwt <no-dsa> (Limited support)
- nats-server <not-affected> (Fixed before initial upload to Debian)
NOTE: https://advisories.nats.io/CVE/CVE-2021-3127.txt
NOTE: https://github.com/nats-io/jwt/security/advisories/GHSA-62mh-w5cv-p88c
@@ -124981,6 +124997,7 @@ CVE-2020-35381 (jsonparser 1.0.0 allows attackers to cause a denial of service (
NOTE: https://github.com/buger/jsonparser/issues/219
CVE-2020-35380 (GJSON before 1.6.4 allows attackers to cause a denial of service via c ...)
- golang-github-tidwall-gjson 1.6.7-1 (bug #977622)
+ [buster] - golang-github-tidwall-gjson <no-dsa> (Limited support)
NOTE: https://github.com/tidwall/gjson/issues/192
NOTE: https://github.com/tidwall/gjson/commit/f0ee9ebde4b619767ae4ac03e8e42addb530f6bc (v1.6.4)
CVE-2020-35379
@@ -134978,6 +134995,7 @@ CVE-2020-27813 (An integer overflow vulnerability exists with the length of webs
{DLA-2520-1}
- golang-github-gorilla-websocket <not-affected> (Fixed with first upload to Debian with renamed source package)
- golang-websocket <removed>
+ [buster] - golang-websocket <no-dsa> (Limited support)
NOTE: https://github.com/gorilla/websocket/security/advisories/GHSA-jf24-p9p9-4rjh
NOTE: https://github.com/gorilla/websocket/commit/5b740c29263eb386f33f265561c8262522f19d37 (v1.4.1)
CVE-2020-27812
@@ -228636,6 +228654,7 @@ CVE-2019-11843 (The MailPoet plugin before 3.23.2 for WordPress allows remote at
CVE-2019-11841 (A message-forgery issue was discovered in crypto/openpgp/clearsign/cle ...)
{DLA-2402-1 DLA-1920-1}
- golang-go.crypto 1:0.0~git20200221.2aa609c-1
+ [buster] - golang-go.crypto <no-dsa> (Limited support)
NOTE: https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442
NOTE: Patch fixes the second part of the CVE ("prepend arbitrary text")
NOTE: but not the first ("ignores the value of [the Hash] header"), as hinted at reporter's 2019-05-09 note:
@@ -228644,6 +228663,7 @@ CVE-2019-11841 (A message-forgery issue was discovered in crypto/openpgp/clearsi
CVE-2019-11840 (An issue was discovered in supplementary Go cryptography libraries, ak ...)
{DLA-2527-1 DLA-2454-1 DLA-2442-1 DLA-2402-1 DLA-1840-1}
- golang-go.crypto 1:0.0~git20200221.2aa609c-1
+ [buster] - golang-go.crypto <no-dsa> (Minor issue)
NOTE: https://github.com/golang/go/issues/30965
NOTE: https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d
NOTE: https://groups.google.com/forum/#!msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJ
@@ -236497,6 +236517,7 @@ CVE-2019-9514 (Some HTTP/2 implementations are vulnerable to a reset flood, pote
- golang <removed>
[jessie] - golang <not-affected> (No HTTP2 support yet)
- golang-golang-x-net-dev 1:0.0+git20190811.74dc4d7+dfsg-1
+ [buster] - golang-golang-x-net-dev <no-dsa> (Minor issue)
- nodejs 10.16.3~dfsg-1 (bug #934885)
[stretch] - nodejs <not-affected> (No HTTP2 support yet)
[jessie] - nodejs <not-affected> (No HTTP2 support yet)
@@ -236537,6 +236558,7 @@ CVE-2019-9512 (Some HTTP/2 implementations are vulnerable to ping floods, potent
- golang <removed>
[jessie] - golang <not-affected> (No HTTP2 support yet)
- golang-golang-x-net-dev 1:0.0+git20190811.74dc4d7+dfsg-1
+ [buster] - golang-golang-x-net-dev <no-dsa> (Minor issue)
- trafficserver 8.0.5+ds-1 (bug #934887)
- h2o 2.2.5+dfsg2-3 (bug #934886)
NOTE: Issue: https://github.com/golang/go/issues/33606
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d678175c74882956575d974e4d3a8bd4978ef1ae
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d678175c74882956575d974e4d3a8bd4978ef1ae
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220906/532ecc94/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list